Security and Compliance component issue when using Export-M365DSCConfiguration to export the SCLabelPolicy policies

[rick-engle]

Description of the issue

After successfully exporting the majority of the SCAuditConfigurationPolicy data using Export-M365DSCConfiguration, one section failed compleley when it tried to export the SCLabelPolicy label policies:

[20/30] Extracting [SCLabelPolicy] using {Credentials}...
|---[1/5] Public PolicyWrite-ErrorMessage : Cannot process argument transformation on parameter 'Identity'. Cannot convert value "00000000-0000-
0000-0000-000000000000"
to type "Microsoft.Office.CompliancePolicy.Tasks.ComplianceRuleIdParameter". Error: "The format of the value you specified in the objectId parameter isn't valid. Check the value, and then try again.
Parameter name: objectId"
At C:\Users\ricke.REDMOND\AppData\Local\Temp\tmpEXO_ivkn10a1.jxt\tmpEXO_ivkn10a1.jxt.psm1:1207 char:13

•         Write-ErrorMessage $ErrorObject
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Get-Label], ParameterTransformationException
  • FullyQualifiedErrorId : [TimeStamp=Wed, 18 Dec 2024 16:38:58 GMT],Write-ErrorMessage

❌
Error Log created at {file://C:/WINDOWS/system32/22088-M365DSC-ErrorLog.log}

I don't know what exactly it didn't like from the error message. It does look like there are 5 of those policies and it failed at 1/5.

Microsoft 365 DSC Version

1.24.1211.1

Which workloads are affected

Security & Compliance Center

The DSC configuration

Export-M365DSCConfiguration -Components @("SCAuditConfigurationPolicy", "SCAutoSensitivityLabelPolicy", "SCAutoSensitivityLabelRule", "SCCaseHoldPolicy", "SCCaseHoldRule", "SCComplianceCase", "SCComplianceSearch", "SCComplianceSearchAction", "SCComplianceTag", "SCDeviceConditionalAccessPolicy", "SCDeviceConfigurationPolicy", "SCDLPCompliancePolicy", "SCDLPComplianceRule", "SCFilePlanPropertyAuthority", "SCFilePlanPropertyCategory", "SCFilePlanPropertyCitation", "SCFilePlanPropertyDepartment", "SCFilePlanPropertyReferenceId", "SCFilePlanPropertySubCategory", "SCLabelPolicy", "SCProtectionAlert", "SCRetentionCompliancePolicy", "SCRetentionComplianceRule", "SCRetentionEventType", "SCRoleGroup", "SCRoleGroupMember", "SCSecurityFilter", "SCSensitivityLabel", "SCSupervisoryReviewPolicy", "SCSupervisoryReviewRule") -Credential $credential -Path $SavePath -FileName $SaveFileName

Verbose logs showing the problem

See below in the [20/30] section:

$credential = Get-Credential -UserName $SourceTenantUserName -Message "Please enter your password for $SourceTenantUserName" 

PS C:\WINDOWS\system32> Export-M365DSCConfiguration -Components @("SCAuditConfigurationPolicy", "SCAutoSensitivityLabelPolicy", "SCAutoSensitivityLabelRule", "SCCaseHoldPolicy", "SCCaseHoldRule", "SCComplianceCase", "SCComplianceSearch", "SCComplianceSearchAction", "SCComplianceTag", "SCDeviceConditionalAccessPolicy", "SCDeviceConfigurationPolicy", "SCDLPCompliancePolicy", "SCDLPComplianceRule", "SCFilePlanPropertyAuthority", "SCFilePlanPropertyCategory", "SCFilePlanPropertyCitation", "SCFilePlanPropertyDepartment", "SCFilePlanPropertyReferenceId", "SCFilePlanPropertySubCategory", "SCLabelPolicy", "SCProtectionAlert", "SCRetentionCompliancePolicy", "SCRetentionComplianceRule", "SCRetentionEventType", "SCRoleGroup", "SCRoleGroupMember", "SCSecurityFilter", "SCSensitivityLabel", "SCSupervisoryReviewPolicy", "SCSupervisoryReviewRule") -Credential $credential -Path $SavePath -FileName $SaveFileName

Exporting Microsoft 365 configuration for Components: SCAuditConfigurationPolicy, SCAutoSensitivityLabelPolicy, SCAutoSensitivityLabelRule, SCCaseHo
ldPolicy, SCCaseHoldRule, SCComplianceCase, SCComplianceSearch, SCComplianceSearchAction, SCComplianceTag, SCDeviceConditionalAccessPolicy, SCDevice
ConfigurationPolicy, SCDLPCompliancePolicy, SCDLPComplianceRule, SCFilePlanPropertyAuthority, SCFilePlanPropertyCategory, SCFilePlanPropertyCitation
, SCFilePlanPropertyDepartment, SCFilePlanPropertyReferenceId, SCFilePlanPropertySubCategory, SCLabelPolicy, SCProtectionAlert, SCRetentionComplianc
ePolicy, SCRetentionComplianceRule, SCRetentionEventType, SCRoleGroup, SCRoleGroupMember, SCSecurityFilter, SCSensitivityLabel, SCSupervisoryReviewP
olicy, SCSupervisoryReviewRule
 
Authentication methods specified:
- Credentials
 
Connecting to {SecurityComplianceCenter}...✅
[1/30] Extracting [SCAuditConfigurationPolicy] using {Credentials}...✅
[2/30] Extracting [SCAutoSensitivityLabelPolicy] using {Credentials}...✅
[3/30] Extracting [SCAutoSensitivityLabelRule] using {Credentials}...✅
[4/30] Extracting [SCCaseHoldPolicy] using {Credentials}...✅
[5/30] Extracting [SCCaseHoldRule] using {Credentials}...✅
[6/30] Extracting [SCComplianceCase] using {Credentials}...✅
[7/30] Extracting [SCComplianceSearch] using {Credentials}...✅
[8/30] Extracting [SCComplianceSearchAction] using {Credentials}...✅
[9/30] Extracting [SCComplianceTag] using {Credentials}...
    |---[1/8] Employee Records✅
    |---[2/8] Personal Financial PII✅
    |---[3/8] Medical Records Retention Policy✅
    |---[4/8] PII Retention Policy✅
    |---[5/8] Confidential✅
    |---[6/8] Product Retired✅
    |---[7/8] Private✅
    |---[8/8] Public✅
[10/30] Extracting [SCDeviceConditionalAccessPolicy] using {Credentials}...✅
[11/30] Extracting [SCDeviceConfigurationPolicy] using {Credentials}...✅
[12/30] Extracting [SCDLPCompliancePolicy] using {Credentials}...
    |---[1/3] Teams DLP Policy✅
    |---[2/3] Alert on use of Full Names in Teams messages✅
    |---[3/3] Block use of SSNs in Teams messages✅
[13/30] Extracting [SCDLPComplianceRule] using {Credentials}...
    |---[1/6] Low volume of SSN content detected Teams DLP Policy✅
    |---[2/6] High volume of SSN content detected Teams DLP Policy✅
    |---[3/6] Low volume of content detected Teams DLP Policy✅
    |---[4/6] High volume of content detected Teams DLP Policy✅
    |---[5/6] Low volume of Full Names content detected Teams DLP Policy✅
    |---[6/6] High volume of Full Names content detected Teams DLP Policy✅
[14/30] Extracting [SCFilePlanPropertyAuthority] using {Credentials}...✅
    |---[1/3] Business✅
    |---[2/3] Legal✅
    |---[3/3] Regulatory✅
[15/30] Extracting [SCFilePlanPropertyCategory] using {Credentials}...
    |---[1/13] Accounts payable✅
    |---[2/13] Accounts receivable✅
    |---[3/13] Administration✅
    |---[4/13] Compliance✅
    |---[5/13] Contracting✅
    |---[6/13] Financial statements✅
    |---[7/13] Learning and development✅
    |---[8/13] Planning✅
    |---[9/13] Payroll✅
    |---[10/13] Policies and procedures✅
    |---[11/13] Procurement✅
    |---[12/13] Recruiting and hiring✅
    |---[13/13] Research and development✅
[16/30] Extracting [SCFilePlanPropertyCitation] using {Credentials}...
    |---[1/5] Commodity Exchange Act✅
    |---[2/5] Sarbanes-Oxley Act of 2002✅
    |---[3/5] Truth in lending Act✅
    |---[4/5] Health Insurance Portability and Accountability Act of 1996✅
    |---[5/5] OSHA Injury and Illness Recordkeeping and Reporting Requirements✅
[17/30] Extracting [SCFilePlanPropertyDepartment] using {Credentials}...
    |---[1/10] Finance✅
    |---[2/10] Human resources✅
    |---[3/10] Information technology✅
    |---[4/10] Legal✅
    |---[5/10] Marketing✅
    |---[6/10] Operations✅
    |---[7/10] Procurement✅
    |---[8/10] Products✅
    |---[9/10] Sales✅
    |---[10/10] Services✅
[18/30] Extracting [SCFilePlanPropertyReferenceId] using {Credentials}...✅
[19/30] Extracting [SCFilePlanPropertySubCategory] using {Credentials}...✅
[20/30] Extracting [SCLabelPolicy] using {Credentials}...
    |---[1/5] Public PolicyWrite-ErrorMessage : Cannot process argument transformation on parameter 'Identity'. Cannot convert value "00000000-0000-
0000-0000-000000000000" 
to type "Microsoft.Office.CompliancePolicy.Tasks.ComplianceRuleIdParameter". Error: "The format of the value you specified in the objectId parameter isn't valid. Check the value, and then try again.
Parameter name: objectId"
At C:\Users\ricke.REDMOND\AppData\Local\Temp\tmpEXO_ivkn10a1.jxt\tmpEXO_ivkn10a1.jxt.psm1:1207 char:13
+             Write-ErrorMessage $ErrorObject
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Label], ParameterTransformationException
    + FullyQualifiedErrorId : [TimeStamp=Wed, 18 Dec 2024 16:38:58 GMT],Write-ErrorMessage
 
❌
Error Log created at {file://C:/WINDOWS/system32/22088-M365DSC-ErrorLog.log}
[21/30] Extracting [SCProtectionAlert] using {Credentials}...
    |---[1/5] DLP-Low volume of SSN content detected Teams DLP Policy✅
    |---[2/5] DLP-Low volume of Full Names content detected Teams DLP Policy✅
    |---[3/5] DLP-High volume of SSN content detected Teams DLP Policy✅
    |---[4/5] CC_User-reported messages✅
    |---[5/5] CC_Offensive or threatening language✅
[22/30] Extracting [SCRetentionCompliancePolicy] using {Credentials}...
    |---[1/6] U.S. Financial Data Policy✅
    |---[2/6] PII Retention Policy✅
    |---[3/6] Medical Records Retention Policy✅
    |---[4/6] Sensitivity✅
    |---[5/6] Employee Records✅
    |---[6/6] Personal Financial PII✅
[23/30] Extracting [SCRetentionComplianceRule] using {Credentials}...
    Policy [1/6] U.S. Financial Data Policy
    Policy [2/6] PII Retention Policy
        |---[1/1] ctaptr-afcfef9c-7092-466d-8ab7-33f136a390f8✅
    Policy [3/6] Medical Records Retention Policy
        |---[1/1] ctaptr-b91fab0e-7f53-4fb6-88d7-11e9956a9434✅
    Policy [4/6] Sensitivity
        |---[1/2] ctptr-3deefd43-f701-4918-8e0e-782108540e10✅
        |---[2/2] ctptr-966481ce-a739-4317-bf29-cbf8244b651e✅
    Policy [5/6] Employee Records
        |---[1/1] ctptr-4b71ae5b-efa0-41dc-9fa4-212588be7a9b✅
    Policy [6/6] Personal Financial PII
        |---[1/1] ctptr-341c2005-7c60-4f6d-9b88-3cd10e61f57d✅
[24/30] Extracting [SCRetentionEventType] using {Credentials}...
        |---[1/3] Employee activity✅
        |---[2/3] Expiration or termination of contracts and agreements✅
        |---[3/3] Product lifetime✅
[25/30] Extracting [SCRoleGroup] using {Credentials}...
    |---[1/68] OrganizationManagement✅
    |---[2/68] ComplianceAdministrator✅
    |---[3/68] PurviewAdministrators✅
    |---[4/68] AttackSimAdministrators✅
    |---[5/68] AttackSimPayloadAuthors✅
    |---[6/68] SecurityAdministrator✅
    |---[7/68] AuditManager✅
    |---[8/68] BillingAdministrator✅
    |---[9/68] eDiscoveryManager✅
    |---[10/68] InsiderRiskManagement✅
    |---[11/68] InsiderRiskManagementAdmins✅
    |---[12/68] InsiderRiskManagementAnalysts✅
    |---[13/68] InsiderRiskManagementInvestigators✅
    |---[14/68] CommunicationComplianceInvestigators✅
    |---[15/68] CommunicationCompliance✅
    |---[16/68] PrivacyManagement✅
    |---[17/68] PrivacyManagementAdministrators✅
    |---[18/68] PrivacyManagementAnalysts✅
    |---[19/68] PrivacyManagementInvestigators✅
    |---[20/68] SubjectRightsRequestAdministrators✅
    |---[21/68] DataSecurityManagement✅
    |---[22/68] DataInvestigator✅
    |---[23/68] CommunicationComplianceAdministrators✅
    |---[24/68] CommunicationComplianceAnalysts✅
    |---[25/68] CommunicationComplianceViewers✅
    |---[26/68] ComplianceDataAdministrator✅
    |---[27/68] ComplianceManagerAdministrators✅
    |---[28/68] ComplianceManagerAssessors✅
    |---[29/68] ComplianceManagerContributors✅
    |---[30/68] SecurityReader✅
    |---[31/68] GlobalReader✅
    |---[32/68] ComplianceManagerReaders✅
    |---[33/68] PrivacyManagementViewers✅
    |---[34/68] PrivacyManagementContributors✅
    |---[35/68] SubjectRightsRequestApprovers✅
    |---[36/68] SecurityOperator✅
    |---[37/68] DataSourceAdministrators✅
    |---[38/68] InformationProtection✅
    |---[39/68] InformationProtectionInvestigators✅
    |---[40/68] ContentExplorerContentViewer✅
    |---[41/68] ContentExplorerListViewer✅
    |---[42/68] InformationProtectionAnalysts✅
    |---[43/68] DataGovernance✅
    |---[44/68] InformationProtectionAdmins✅
    |---[45/68] DataCatalogCurators✅
    |---[46/68] DataEstateInsightsReaders✅
    |---[47/68] DataEstateInsightsAdmins✅
    |---[48/68] DataSecurityInvestigationAdmins✅
    |---[49/68] DataSecurityInvestigationInvestigators✅
    |---[50/68] DataSecurityInvestigationReviewers✅
    |---[51/68] RecordsManagement✅
    |---[52/68] ExactDataMatchUploadAdmins✅
    |---[53/68] MailFlowAdministrator✅
    |---[54/68] InformationProtectionReaders✅
    |---[55/68] InsiderRiskManagementApprovers✅
    |---[56/68] InsiderRiskManagementAuditors✅
    |---[57/68] IRMContributors✅
    |---[58/68] InsiderRiskManagementSessionApprovers✅
    |---[59/68] KnowledgeAdministrators✅
    |---[60/68] QuarantineAdministrator✅
    |---[61/68] Reviewer✅
    |---[62/68] ServiceAssuranceUser✅
    |---[63/68] SupervisoryReview✅
    |---[64/68] AuditReader✅
    |---[65/68] DefaultRoleAssignmentPolicy✅
    |---[66/68] DLP Policy Permissions - Full Control✅
    |---[67/68] MDO Configuration Security Engineering✅
    |---[68/68] Mailboxes - eDiscovery✅
[26/30] Extracting [SCRoleGroupMember] using {Credentials}...
    |---[1/68] OrganizationManagement✅
    |---[2/68] ComplianceAdministrator✅
    |---[3/68] PurviewAdministrators✅
    |---[4/68] AttackSimAdministrators✅
    |---[5/68] AttackSimPayloadAuthors✅
    |---[6/68] SecurityAdministrator✅
    |---[7/68] AuditManager✅
    |---[8/68] BillingAdministrator✅
    |---[9/68] eDiscoveryManager✅
    |---[10/68] InsiderRiskManagement✅
    |---[11/68] InsiderRiskManagementAdmins✅
    |---[12/68] InsiderRiskManagementAnalysts✅
    |---[13/68] InsiderRiskManagementInvestigators✅
    |---[14/68] CommunicationComplianceInvestigators✅
    |---[15/68] CommunicationCompliance✅
    |---[16/68] PrivacyManagement✅
    |---[17/68] PrivacyManagementAdministrators✅
    |---[18/68] PrivacyManagementAnalysts✅
    |---[19/68] PrivacyManagementInvestigators✅
    |---[20/68] SubjectRightsRequestAdministrators✅
    |---[21/68] DataSecurityManagement✅
    |---[22/68] DataInvestigator✅
    |---[23/68] CommunicationComplianceAdministrators✅
    |---[24/68] CommunicationComplianceAnalysts✅
    |---[25/68] CommunicationComplianceViewers✅
    |---[26/68] ComplianceDataAdministrator✅
    |---[27/68] ComplianceManagerAdministrators✅
    |---[28/68] ComplianceManagerAssessors✅
    |---[29/68] ComplianceManagerContributors✅
    |---[30/68] SecurityReader✅
    |---[31/68] GlobalReader✅
    |---[32/68] ComplianceManagerReaders✅
    |---[33/68] PrivacyManagementViewers✅
    |---[34/68] PrivacyManagementContributors✅
    |---[35/68] SubjectRightsRequestApprovers✅
    |---[36/68] SecurityOperator✅
    |---[37/68] DataSourceAdministrators✅
    |---[38/68] InformationProtection✅
    |---[39/68] InformationProtectionInvestigators✅
    |---[40/68] ContentExplorerContentViewer✅
    |---[41/68] ContentExplorerListViewer✅
    |---[42/68] InformationProtectionAnalysts✅
    |---[43/68] DataGovernance✅
    |---[44/68] InformationProtectionAdmins✅
    |---[45/68] DataCatalogCurators✅
    |---[46/68] DataEstateInsightsReaders✅
    |---[47/68] DataEstateInsightsAdmins✅
    |---[48/68] DataSecurityInvestigationAdmins✅
    |---[49/68] DataSecurityInvestigationInvestigators✅
    |---[50/68] DataSecurityInvestigationReviewers✅
    |---[51/68] RecordsManagement✅
    |---[52/68] ExactDataMatchUploadAdmins✅
    |---[53/68] MailFlowAdministrator✅
    |---[54/68] InformationProtectionReaders✅
    |---[55/68] InsiderRiskManagementApprovers✅
    |---[56/68] InsiderRiskManagementAuditors✅
    |---[57/68] IRMContributors✅
    |---[58/68] InsiderRiskManagementSessionApprovers✅
    |---[59/68] KnowledgeAdministrators✅
    |---[60/68] QuarantineAdministrator✅
    |---[61/68] Reviewer✅
    |---[62/68] ServiceAssuranceUser✅
    |---[63/68] SupervisoryReview✅
    |---[64/68] AuditReader✅
    |---[65/68] DefaultRoleAssignmentPolicy✅
    |---[66/68] DLP Policy Permissions - Full Control✅
    |---[67/68] MDO Configuration Security Engineering✅
    |---[68/68] Mailboxes - eDiscovery✅
[27/30] Extracting [SCSecurityFilter] using {Credentials}...✅
[28/30] Extracting [SCSensitivityLabel] using {Credentials}...
    |---[1/4] Personal✅
    |---[2/4] General✅
    |---[3/4] Internal✅
    |---[4/4] Highly Confidential✅
[29/30] Extracting [SCSupervisoryReviewPolicy] using {Credentials}...
    |---[1/2] Offensive or threatening language✅
    |---[2/2] User-reported messages✅
[30/30] Extracting [SCSupervisoryReviewRule] using {Credentials}...
    |---[1/2] User-reported messages✅
    |---[2/2] Offensive or threatening language✅
⌛ Export took {589 seconds} for {213 instances}

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 26100.1.amd64fre.ge_release.240331-1435
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Key   : PSVersion
Value : 5.1.26100.2161
Name  : PSVersion

Key   : PSEdition
Value : Desktop
Name  : PSEdition

Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name  : PSCompatibleVersions

Key   : BuildVersion
Value : 10.0.26100.2161
Name  : BuildVersion

Key   : CLRVersion
Value : 4.0.30319.42000
Name  : CLRVersion

Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion

Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion